Endpoint Protection

Hello,

Is there a way to find out when was a file was dropped on a system?

We have a situation, where a malware file is quarantined by SEP on many systems.

However, there are some systems, where, we know the malware exists in a given location [which is not excluded from scan], but still, it is not actioned by SEP.

Maybe, the file was dropped after the last scheduled full scan. So, when I manually access the location, Auto-Protect quarantines it.

So, I am thinking that the file could have been dropped after the last schedueld scan completed running. If that is the case, shouldn't Auto-Protect pick it up when it was dropped?

Please assist.

Thanks,

Jimmy

=-=-=

Probably not an easy way to do this since it is more file integrity monitoring - which SEP doesn't inherently do.

You could create an application control rule to monitor all file/folder access.

https://www.symantec.com/connect/articles/how-utilize-sep-121-incident-response-part-7

Auto-Protect would only report on "action" times.

Hi Brian,

Thanks for the quick revert!

ADC is not currently enabled; however, it should be a good start.

Assuming that the file got dropped after the last scheduled full scan, shouldn't Auto-Protect have detected and actioned upon it when it was dropped?

Thanks,

Jimmy

=-=-=

If there was a signature available. Also may depend if the file was encrypted, compressed, password protected, etc. But AP will usually detect pretty quickly and the rememdiation process may take a few seconds to a few minutes depending on the environmental factors.

Hi Brian,

Following Advanced Scanning options of Auto-Protect have been enabled. But we have systems, where the malware file is lying as-is for days without having been actioned upon by both Auto-Protect and Scheduled Full scans. Weekly scheduled scans are running successfully on this system.

• Always delete newly created infected files
• Always delete newly created infected security risks

It is an exe file in uncompressed state.

On 1 system, manually accessing the folder location [folder containing the malware file] using Windows Explorer triggered Auto-Protect to quarantine the malware, which is OK.

However, on few other systems, navigating to the same folder location using CMD shows the malware file with a much older date. No action has still been taken by Auto-Protect. It is lying there as-is.

The CMD command dir /T:C [http://ss64.com/nt/dir.html] shows the file-drop date.

It proves that both Auto-Protect and Scheduled Full scans have not actioned upon them.

Moreover, a manual scan of the parent folder [folder containing the folder with malware file] resulted in nothing being detected.

So, at this juncture, we feel that Auto-Protect is not doing its job.

Any clue?

Thanks,

Jimmy

=-=-=

It sounds like signatures don't exist to detect it. Upload it to virus total, does Symantec show a detection for it?

From what you've described, I'd be inclined to believe that signatures did not exist for this file at the time it was created, which would be why Auto-Protect failed to pick it up.  While it's true that the Scheduled Scan's Insight lookup (reputation based scan) might have detected the file, this is by no means guaranteed.

If current attempts to access the file cause Auto-Protect to remove it, then it certainly suggests sigs have been developed and released after the initial "drop".

There's no real way of "dropping" a file without Auto-Protect seeing it (short of booting a machine to an alternative OS that is not running any AV, and using that to write the file).  And even then, once booted back into Windows, the file would get caught on-access (once again, assuming sigs exist).

At this point, I'd probably suggest you schedule more regular full scans.

With regards to your manual scan failing to find the offending file, perhaps the below article would help:

http://www.symantec.com/docs/TECH103126

http://www.symantec.com/docs/TECH99222

Hi Brian / SMLatCST,

The SEP Client seems to have some issue. Though the components are updated, it fails to detect the malware file.

Maybe, it is corrupt.

1 last question before closing this chapter.

How to we retrieve the quarantined malware file for forensic analysis? The restored malware file is not allowed to be accessed/copied by Auto-Protect. It gets quarantined again.

Thanks,

Jimmy

=-=-=

Symantec offers a quarantine server solution but that already needed to be in place.

I'm not sure there is another way though - have you tried disabling auto-protect then trying to restore?

Hi Brian,

We tried to restore followed by disabling SEP, but seems like the Auto-Protect component already loaded in memory picks it up.

A Central Quarantine Server is not part of the implementation yet. Wouldn't Auto-Protect on Central Quarantine Server, too, do the same when it is restored?

The objective here is retrieve the malware file for forensic analyses so that investigations in an event of an outbreak become manageable.
 

Thanks,

Jimmy

=-=-=

http://www.symantec.com/docs/TECH97449

That article should help.  It talks you through accessing the SEP quarantined (and encrypted) files and submitting them to Symantec.

To be fair, you can do this from inside the SEP Client anyway (as long as it is quarantined and not deleted), using the "Submit..." button under View Quarantine in the SEP Client console.

Unfortunately, I'm not aware of how to get a hold of the file for your own internal forensics without disabling SEP Auto-Protect before restoring.

Thanks for the article!

Retrieving the same file is important as HASH value is retained, and the file is not encrypted the way it is in the case of the .VBN files.